George Theall of Tenable Security notified the LedgerSMB core team today
of an authentication bypass vulnerability allowing full access to the
administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x. The
problem is caused by the password checking routine failing to enforce a
password check under certain circumstances. The user can then create
accounts or effect denial of service attacks.
This is not related to any previous CVE.
We have coordinated with the SQL-Ledger vendor and today both of us
released security patches correcting the problem. SQL-Ledger users who
can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users
should upgrade to 1.1.9. Users who cannot upgrade should configure
their web servers to use http authentication for the admin.pl script in
the main root directory.
email;internet:chris (at) metatrontech (dot) com [email concealed]